Dive Brief:
- Rate pressures on the cyber industry sector began to moderate as a surge in new buyers, and corporate enforcement of cyber hygiene led to a more stable market, according to research from global insurance firm Marsh released Wednesday.
- Half of Marsh's U.S. clients purchased standalone cyber insurance policies in 2021, almost double the 26% of clients in 2016. More businesses understand the financial risks of a cyberattack affecting their bottom line, Marsh said.
- Meanwhile, cyber insurance rates are leveling out. Rate increases have steadily dropped from the high reached in Dec. 2021 when businesses paid, on average, 133% more for cyber insurance year over year. That rate increase dropped to 107% in March and 90% in April. Research firm AM Best also found a more moderate pace of rate increases in Q1, Chris Graham, senior industry analyst, said.
Dive Insight:
At times, the cyber insurance market appeared headed toward a cliff, where the number of claims threatened to swallow the industry. Market contraction, the Russian invasion of Ukraine and an uptick in nation state cyberthreat activity all contributed to an unbalanced market.
But now, a surge in new buyers has begun to offset years of rising claims and higher premiums, according to data from global insurance firm Marsh.
The rate increases are still “terrible,” said Sridhar Manyem, director, research at AM Best. Rather than cautiously optimistic, like Marsh, Manyem has a more cautious view of the market. “The underwriting still needs to mature.”
The threats are evolving constantly, he said. One day it’s ransomware, the next it’s social engineering, phishing or patch problems.
“Insurance companies can probably control their losses through limits, deductibles, reinsurance [and] so on, so they have strategies to control their financial losses,” Manyem said.
To get lower rates, clients have to demonstrate a mastery of cybersecurity basics, with strong controls in place, according to Marsh.
The number of claims in the first quarter of 2022 remains high, Marsh research shows. Marsh clients filed more than 200 cyber claims in Q1, in line with the high number of quarterly claims across 2020 and 2021.
Almost one-third of total Marsh cyber claims stem from healthcare, communications, media and technology companies.
One thing that caught the cyber insurance industry unaware is the sudden increase in ransomware attacks, Manyem said. What’s left to watch is how insurers will adapt to the increase.
Marsh officials are optimistic the cyber insurance industry, as it matures, can level off. “As underwriters gain more confidence in pricing cyber coverage following a period of adjustment, there is increased competition and interest from new entrants, increasing the likelihood of rate moderation,” the report said.
Others, however, are not as optimistic. A June report from the U.S. Government Accountability Office questioned whether insurance can cover cyberattack losses. For the government in particular, its terrorism risk insurance may only kick in if an attack can be clearly defined as "terrorism."
The GAO called on the Cybersecurity and Infrastructure Security Agency to work with the Federal Insurance office to assess whether critical infrastructure risks to cyberattacks — and the potential financial fallout — warrant a federal insurance response.
It falls on companies to turn to security basics to try to keep cyber insurance rates in check. While insurers do not closely scrutinize the adoption of specific technology, they want to understand how companies craft risk management strategies using existing technology and internal standards.